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An  Introduction  to  the  Deputy  Assistant  Secretary  of 
Defense  for  Information  and  Identity  Assurance 


Robert  Lentz 

Deputy  Assistant  Secretary  of  Defense  for  Information  and  Identity  Assurance 

Trusted  information,  anytime,  anywhere  is  the  vision  of  the  year-old  Office  of  the  Deputy  Assistant  Secretary  of  Defense 
for  Information  and  Identity  Assurance  (DASDfllA]).  Every  functional,  operational,  domain,  and  institutional-based 
joint  capability  of  the  Department  of  Defense  (DoD)  is  information  dependent  and  relies  on  trusted  information  to  func¬ 
tion  effectively.  The  DoD  faces  daily  attacks  on  its  networks  and  systems,  ranging  from  curious  kids  to  much  more 
advanced,  organised  campaigns.  The  DASD(IIA)  team  is  providing  a  defense-in-breadth  approach  to  protect  our  systems, 
networks,  and  information. 


Defense  transformation  hinges  on 
the  recognition  that  information  is 
a  key  strategic  resource  within  the  DoD 
and  across  government  agencies.  This 
information  is  a  critical  component  of 
situational  awareness,  allowing  decision 
makers  at  all  levels  to  quickly  turn  infor¬ 
mation  into  decisions  and,  ultimately, 
into  actions.  Ensuring  timely  and  trust¬ 
ed  information  is  available  wherever, 
whenever,  and  to  those  who  need  it 
most  is  at  the  heart  of  net-centricity. 
Net-centricity  ensures  that  authorized 
users  at  any  level  can  take  what  they 
need  and  contribute  what  they  know. 

The  benefits  of  net-centricity 
unquestionably  rely  on  one  fundamen¬ 
tal  prerequisite:  identity  assurance. 
Users  must  have  confidence  that  infor¬ 
mation  has  integrity  —  it  has  not  been 
tampered  with;  authenticity  —  it  is  from 
a  trusted  source;  and  availability  —  it  will 
be  accessible  when  needed,  even  in  the 
face  of  attack.  Threats  to  our  informa¬ 
tion  are  real,  multi-faceted,  sophisticat¬ 
ed,  and  growing  in  number  and  effec¬ 
tiveness.  Additionally,  the  DoD’s  mis¬ 
sions  are  increasingly  dependent  on  the 
information  technology  (IT)  underpin¬ 
nings  provided  by  the  Global 
Information  Grid  (GIG).  The  GIG’s 
resiliency  and  continuity  of  mission- 
essential  functions  is  a  priority  as 
sophisticated  adversaries  improve 
knowledge  of  our  capabilities. 
Moreover,  as  the  business  and  opera¬ 
tional  environments  in  which  we  oper¬ 
ate  continue  to  change  almost  daily,  we 
can  neither  predict  when  nor  how 
today’s  technologies  will  be  overtaken 
by  more  advanced  technologies,  nor 
can  we  predict  how  events  around  the 
world  will  affect  future  requirements 
and  what  the  costs  will  be  to  protect 
our  assets.  The  Information  Assurance 
(IA)  community’s  challenge  is  to  ad¬ 
dress  today’s  challenges  while  develop¬ 


ing  new  and  innovative  capabilities  to 
avert  and  mitigate  tomorrow’s  threats 
and  the  impact  of  yet-unknown  exter¬ 
nal  factors. 

Recognizing  the  importance  of  a 
secure,  trusted  network,  the  Honorable 
John  J.  Grimes,  Assistant  Secretary  of 
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Defense  for  Networks  and  Information 
Integration/DoD  Chief  Information 
Officer  (ASD[NII]/DoD  CIO),  recent¬ 
ly  created  the  Office  of  the 
DASD(IIA).  The  office  was  created 
from  the  IA  Directorate;  formally  part 
of  the  deputy  CIO’s  office,  and  elevat¬ 
ed  the  oversight  of  IA  throughout  the 
DoD  from  a  director-level  position  to 
the  level  of  a  deputy  assistant  secretary. 

The  new  office  is  organized  around 
the  following  directorates: 

•  The  IA  Policy  and  Strategy 
Directorate,  responsible  for  provid¬ 


ing  IA  policy  and  strategic  direction 
to  enable  capabilities  required  to 
deliver  IA  throughout  the  DoD.  To 
include  devising  and  advancing  IA 
strategic  initiatives,  enabling  assured 
net-centric  operations,  developing 
domestic  and  coalition  cyber  part¬ 
nerships,  and  influencing  secure  and 
resilient  network  architectures. 

•  The  Defense-wide  IA  Program 
(DIAP)  Directorate,  responsible  for 
ensuring  the  DoD’s  vital  informa¬ 
tion  resources  are  secured  and  pro¬ 
tected  through  IA  compliance  by 
applying  a  defense-in-breadth  meth¬ 
odology  that  integrates  the  capabili¬ 
ties  of  people,  operations,  and  tech¬ 
nology  to  establish  multilayer,  multi¬ 
dimensional  protection. 

•  The  Identity  Assurance/Public  Key 
Infrastructure  Directorate,  responsi¬ 
ble  for  providing  DoD-level  direc¬ 
tion  and  guidance  for  enterprise¬ 
wide  identity  services  that  ensure 
the  availability  of  an  operational 
identity  management  infrastructure 
consistent  with  the  architectural 
constructs  established  in  the  GIG. 

•  The  Globalization  Task  Force, 
responsible  for  developing  and 
overseeing  implementation  of  a 
strategy  for  mitigating  national  secu¬ 
rity  risks  arising  from  the  increasing 
globalization  of  the  information 
and  communications  technologies 
infrastructure  consistent  with  the 
objectives  of  ASD(NII)/DoD  CIO 
and  national  policy. 

•  The  Defense  Industrial  Base  Cyber 
Security  Task  Force,  responsible  for 
securing  critical  DoD  programs  and 
technology  by  protecting  DoD  con¬ 
trolled  unclassified  information  res¬ 
ident  on  defense  industrial  base  net¬ 
works  through  the  development, 
implementation,  and  execution  of 
DoD  policy,  resources,  structure, 
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and  processes  in  collaboration  with 
DoD  components,  industry,  and 
other  federal  government  depart¬ 
ments,  collectively  known  as  the 
interagency. 

•  A  DoD  senior  IA  engineer  and  chief 
technology  officer  to  provide  advice 
on  IA  engineering  programs  and 
projects  and  emerging  technical 
challenges,  planning  and  execution 
of  the  GIG  IA  Portfolio  Manage¬ 
ment  Office  (GIAP)  and  enterprise¬ 
wide  systems  engineering  efforts. 

In  addition  to  the  these  directorates, 
the  office  is  tasked  with  management 
oversight  for  the  GIAP  and  tasked  with 
analyzing,  selecting,  controlling,  and 
evaluating  critical  IA  capabilities  and 
associated  investments  to  enable  infor¬ 
mation  superiority  to  deliver  the  best 
mix  of  IA  capabilities,  ensuring  cyber¬ 
space  dominance  across  the  full  range 
of  military  operations.  The  Unified 
Cross  Domain  Management  Office  is 
tasked  with  providing  centralized  direc¬ 
tion,  coordination,  and  oversight  for  all 
cross  domain  activities  and  investments 
within  the  DoD. 

IA  within  the  DoD  previously  relied 
on  a  defense-in-depth  approach  to  assuring 
information  based  largely  upon  fire¬ 
walls  and  software  patches;  the  focus 
was  on  attempting  to  keep  intruders  out 
and  data  safe.  As  approaches  to  IA  have 
evolved,  the  DoD  is  moving  towards  a 
defense-in-breadth  approach,  integrating 
capabilities  of  people,  operations,  and 
technology  to  establish  a  multi-layer, 
multi  dimensional  protection  that  will 
assure  our  information  warfare  capabil¬ 
ities  and  information-critical  compo¬ 
nents  are  trusted  throughout  their  life¬ 
span  to  achieve  decision/mission  supe¬ 
riority. 

This  defense-in-breadth  approach 
will  be  highlighted  in  a  rewrite  of  the 
DoD  IA  Strategic  Plan  (SP)  to  be  com¬ 
pleted  this  year.  The  original  DoD  IA 
SP  provided  a  shared  vision,  goals, 
objectives,  and  a  consistent,  enterprise¬ 
wide  approach  for  securing  the  GIG 
since  its  release  in  January  2004.  As 
stated  in  the  first  version  of  the  DoD 
I A  SP,  it  is  a  living  document  and  we  are 
committed  to  updating  it  to  keep  it  vital 
and  to  accurately  reflect  the  major  IA 
issues  confronting  the  DoD.  As  such, 
an  updated  version  of  the  DoD  IA  SP 
was  signed  by  the  ASD(NII)/DoD 
CIO  in  March  20081.  The  revised  plan 
reaffirms  the  vision  and  goals  intro¬ 
duced  in  2004  for  assuring  information 
and  updates  relevant  objectives  and  the 
actions  critical  to  securing  the  net-cen¬ 


tric  GIG  and  achieving  our  long-term 
vision:  delivering  the  power  of  infor¬ 
mation:  access  —  share  —  collaborate. 
The  following  five  goals  introduced  in 
2004  remain  in  the  2008  interim  version 
and  continue  to  be  the  cornerstone  of 
the  DoD  IA  SP: 

•  Goal  1:  Protect  information  to 
achieve  assured  information 
sharing.  Achieving  this  goal  of 
trusted  data  anywhere  on  the  Net 
requires  partnerships  and  combined 
efforts  with  other  components  of 
the  security  community  (i.e.,  physi¬ 
cal  security,  personnel  security,  and 
critical  infrastructure  protection)  in 
order  to  provide  an  integrated  sys¬ 
tems  security  posture. 

•  Goal  2:  Defend  systems  and  net¬ 
works.  The  points  of  focus  for  this 
goal  are  the  Computer  Network 
Defense  protection,  detection,  and 


The  planned  revision 
to  the  Strategic  Plan 
will  place  significant 
emphasis  on 
operationalizing  full 
life-cycle  security ; 
or  defense-in-breadth, 
and  will  reflect  the 
strategic  priorities 
of  the  DoD  ... 

reaction  mechanisms  for  DoD  sys¬ 
tems  and  networks  and  adaptive 
configuration  management,  a  critical 
capability  that  includes  both  active 
and  passive  defenses  necessary  to 
correctly  respond  to  legitimate  but 
changing  demands  while  simultane¬ 
ously  defending  against  adversary- 
induced  threats. 

•  Goal  3:  Align  GIG  mission  assur¬ 
ance  through  integrated  IA  situa¬ 
tional  awareness  and  IA  com¬ 
mand  and  control.  The  complex 
and  interdependent  nature  of  our 
information  networks  and  the 
demands  of  net-centric  warfare 
require  shared  awareness  and  under¬ 
standing  across  the  enterprise  to 
enable  effective  command  and  con¬ 
trol.  Combatant  commanders 


require  sufficient  visibility  into  their 
network  operations,  including  the 
threats  to  these  networks  and  the  IA 
capabilities  applied  to  protect, 
defend,  and  respond  to  them. 

•  Goal  4:  Transform  and  enable  IA 
capabilities.  Transforming  IA 
capabilities  depends  heavily  on  the 
ability  to  influence  the  processes  the 
DoD  uses  to  create,  assess,  test,  and 
implement  new  ideas.  Developing 
new  approaches  to  problem  solving 
depends  on  the  synergy  between 
each  process  as  an  idea  progresses 
from  concept  to  reality.  The  focus 
of  this  goal  is  to  influence  the  devel¬ 
opment  of  three  key  processes 
(acquisition,  planning,  and  innova¬ 
tion)  to  further  the  IA  mission  and 
support  the  transformation  of  the 
force. 

•  Goal  5:  Create  an  IA-empowered 
workforce.  This  goal  addresses  IA 
awareness,  technical  training,  and 
security  management.  IA  awareness 
is  targeted  to  all  DoD  employees, 
from  entry-level  to  senior  executive 
service  to  flag  officer.  Technical 
training  and  education  focuses  on 
system  and  network  administrators 
and  personnel  performing  mainte¬ 
nance  functions  on  DoD  worksta¬ 
tions,  systems,  and  networks  as  well 
as  IA  officers,  IA  managers,  desig¬ 
nated  approving  authorities,  and 
their  IA  staffs. 

The  planned  revision  to  the  SP  will 
place  significant  emphasis  on  opera¬ 
tionalizing  full  life-cycle  security,  or 
defense-in-breadth,  and  will  reflect  the 
strategic  priorities  of  the  DoD  outlined 
in  the  Quadrennial  Defense  Review 
and  the  CIO’s  SP.  Additionally,  it  will 
call  out  IA  as  the  bedrock  underpinning 
the  GIG  and  place  more  emphasis  on 
achieving  mission  assurance  by  expand¬ 
ing  the  scope  of  our  third  goal:  to 
leverage  all  elements  of  information 
warfare  and  operationalizing  the 
defense-in-breadth  approach. 

The  DoD  has  realized  several  signif¬ 
icant  accomplishments  across  each  of 
the  five  goals  to  effectively  increase  its 
security  posture;  however,  while 
tremendous  progress  has  been  made  in 
validating  requirements,  defining  an 
architectural  road  map,  operationalizing 
policies  and  transformative  processes, 
and  developing  and  deploying  innova¬ 
tive  technical  solutions  to  the  warfight¬ 
ers  and  business  communities,  our 
future  success  will  require  a  continued 
focus  on  the  operational  aspects  of  IA, 
fusing  people,  processes,  and  technolo- 
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gies  to  combat  current  and  future 
threats  in  real-world  operational  envi¬ 
ronments.  This  includes  a  fusion  with 
the  IC. 

A  significant  accomplishment  of  the 
new  DASD  has  been  the  publication  of 
DoD  IA  Certification  and  Accredi¬ 
tation  Process  (DIACAP)2,  which 
replaces  the  interim  DIACAP  instruc¬ 
tion  released  in  July  2006.  The  DIA¬ 
CAP  instruction  articulates  policy  and 
establishes  the  process  for  conducting 
IA  certification  and  accreditation 
(C&A)  of  DoD  information  systems. 
Replacing  the  DoD  IT  security  certifi¬ 
cation  and  accreditation  process,  the 
DIACAP  supports  the  evolution  to  a 
net-centric  GIG  through  a  dynamic  IA 
C&A  process  that  provides  visibility 
and  control  of  IA  capabilities  and  ser¬ 
vices,  including  core  enterprise  services 
and  Web-enabled  systems  and  applica¬ 
tions. 

Under  the  DIACAP,  all  DoD- 
owned  information  systems  and  DoD 
controlled  information  systems  operat¬ 
ed  by  a  contractor  or  other  entity  on 


behalf  of  the  DoD  will  be  certified  and 
accredited  through  a  standardized 
enterprise  process  for  identifying, 
implementing,  and  managing  IA  capa¬ 
bilities  and  services.  Through  this 
enterprise  process,  the  DIACAP  sup¬ 
ports  the  transition  of  DoD  informa¬ 
tion  systems  to  GIG  standards  and  a 
net-centric  environment  while  enabling 
assured  information  sharing. 

Crosstalk  has  been  gracious 
enough  to  devote  this  issue  to  DoD  IA 
issues.  We  hope  you  find  them  informa¬ 
tive,  thought-provoking,  and  helpful 
towards  understanding  the  roles,  mis¬ 
sions,  and  challenges  that  face  the  DoD 
today  and  in  the  future. ♦ 

Notes 

1.  Available  online  at  the  DoD  IA 
Portal,  Common  Access  Card  re¬ 
quired  <https://www.us.army.mil/ 
suite/ portal/index. jsp>. 

2.  DoD  Instruction  8510.01.  28  Nov. 
2007  <www.dtic.mil/whs/directives/ 
corres/pdf/ 851001p.pdf>. 
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